A step-by-step breakdown of the most common Session Management Vulnerabilities
Press enter or click to view image in full size
Introduction
Modern applications rely heavily on sessions, tokens and identity checks. When these controls aren’t implemented correctly, attackers can bypass restrictions or take over accounts with little effort. In this guide, I’ll walk you through a checklist of all session-related issues, how to test for them and what their impact can look like. It’s a straightforward way to confirm whether an application’s session handling is actually secure.
1. Old Session Does Not Expire After Password Change
Description: When a user changes their password, all existing active sessions (on other devices or browsers) should generally be invalidated.
Steps to Reproduce:
- Create an account on the target site.
- Log in to the account on two different browsers (e.g., Chrome and Firefox/Incognito).
- On Chrome, navigate to settings and change your password.
- Once the password change is successful, go to the Firefox window (where the old session is active)…